An Imperfect (Cyber) Storm

Second exercise put communications between public and private sector to the test.

SAN FRANCISCO -- Say a highly organized, international group of
anti-globalization organizations coordinated a protest attack on the
network infrastructure of the United States. Maybe disgruntled
individuals and opportunistic hackers quickly launched their own
attacks when they saw what was going on.

If a systems glitch could black
out the entire northwest in 2003, what kind of damage could such
a concerted assault produce?

You might say that the biggest question is why hasn't it happened yet?

The federal government has been working with private companies and
security vendors to develop protocols and communications systems that
will let them respond quickly and share relevant information on
threats and attacks. On March 10, they put the system to the test.

Cyber Storm II was an international exercise, conducted by the
U.S. Department of Homeland Security on March 10 through 14 in Washington, D.C. High-level participants provided some general comments about what they learned in a panel discussion held at the RSA Conference on Wednesday.

"It fundamentally was about identifying and responding to a
fast-breaking cyber-epidemic. It tested our ability to identify an
attack, validate or correct the analysis with our partners -- because
we were all getting different pieces of information -- and to respond
individually and collectively," said Greg Garcia, assistant secretary
for cyber security and communications for the Department of Homeland
Security (DHS).

Cyber Storm II simulated attacks via control systems, networks,
software, and social engineering to disrupt transportation and energy
infrastructure elements of state, federal and international
government agencies.

The exploits were intended to degrade government operations and the delivery of public services, diminish the ability of authorities to help fend off attacks on other sectors and undermine public confidence.

Homeland Security hasn't disclosed the nature of the simulated attacks, but the first CyberStorm's threats ranged from denial of service attacks on the oil and gas pipeline map to unauthorized access of the FAA network, crashing the flight control system. Simulated protesters defaced newspaper Web sites and posted the No Fly List on the public Web. They sent false Amber alerts, compromised the HIPAA database and turned off the heat in government buildings.

"In Cyber Storm I, we learned lessons on what we needed to do to
get information and propagation strategies out, and get information
back," said Randy Vickers, associate deputy director of the U.S.
Computer Emergency Readiness Team. "We wanted to leverage II to
understand how we take information we discover, develop mitigation
strategies and propagate that out."

Congress mandated these exercises to assess the nation's cyber security preparedness and response capabilities. The March exercise simulated a coordinated attack on information technology, communications, chemical, and transportation systems and assets.

Participants included 18 federal departments and agencies, the
states of California, Colorado, Delaware, Illinois, Michigan, N.C., Pennsylvania, Texas and Virginia., as well as Australia, Canada, New Zealand and the United Kingdom.
Private-sector companies included Cisco, Dow Chemical, Juniper
Networks, McAfee, Microsoft and Wachovia.

The second exercise was a shake-down cruise for the strategies and
processes put in place following the first Cyber Storm, held in 2006.
DHS will publish an after-action report in the fall saying how the
group plans to improve, based on what it learned from the exercise.

Garcia said one thing the exercise taught the agency was how
critical vendors are in time of crisis. "They built the products and
they know how they work," he told the audience, urging them to start
networking now. "Build and respect those relationships -- and
exchange those business cards now," he said, "rather than in a crisis
with your hair on fire."